Security

Reply
Highlighted
MVP

Expected RADIUS behaviour for Aruba-ASI (NAS-IP-ADDRESS) ?

Scenario:

  • Aruba AOS8 L2-cluster with ASI, external 3rd-party RADIUS servers.

 

Questions:

  1. When will the NAS-IP-ADDRESS be used by the RADIUS server?
  2. Will a RADIUS server ever try to send a packet to the NAS-IP-ADDRESS? 

 

I'm asking specifcally because I'm concerned about my MC's real IP being NAT'd en route to the RADIUS server. The NAT device will of course handle any return traffic to the same source IP, but anything sent to the NAS-IP-ADDRESS will be lost?

 

Thanks


Accepted Solutions
Highlighted
Moderator

Re: Expected RADIUS behaviour for Aruba-ASI (NAS-IP-ADDRESS) ?

NAS-IP is used for Dynamic Authorization.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
MVP

Re: Expected RADIUS behaviour for Aruba-ASI (NAS-IP-ADDRESS) ?

RFC2865 doesn't mention much, only that it is an attribtute in the Access-Request packet. It doesn't mention if anything will ever be sent to this IP.

 

https://tools.ietf.org/html/rfc2865#section-5.4

 

5.4.  NAS-IP-Address

   Description

      This Attribute indicates the identifying IP Address of the NAS
      which is requesting authentication of the user, and SHOULD be
      unique to the NAS within the scope of the RADIUS server. NAS-IP-
      Address is only used in Access-Request packets.  Either NAS-IP-
      Address or NAS-Identifier MUST be present in an Access-Request
      packet.

      Note that NAS-IP-Address MUST NOT be used to select the shared
      secret used to authenticate the request.  The source IP address of
      the Access-Request packet MUST be used to select the shared
      secret.

   A summary of the NAS-IP-Address Attribute format is shown below.  The
   fields are transmitted from left to right.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |            Address
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
            Address (cont)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 

 

 

Highlighted
Moderator

Re: Expected RADIUS behaviour for Aruba-ASI (NAS-IP-ADDRESS) ?

NAS-IP is used for Dynamic Authorization.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: